If you have an example Mode 23 request / response that would be helpful.
For example, in the OS I have disassembled it looks like 0x40012d24 is the engine speed in RAM, but I haven't tried to figure out how to convert that into the Mode 23 message.
Based on the disassembly I think this ECU Mode 23 needs a 4 byte address and a 2 byte memory size and I found this online, but it's quite vague.
Memory Address:
The parameter memoryAddress is used to select the starting address of ECU memory from which data is to be
retrieved. A portion of the memoryAddress parameter (most significant bits or bytes) can be used as a
memoryIdentifier.
An example of the use of a memoryIdentifier would be a dual processor ECU with 16-bit addressing and
memory address overlap (when a given address is valid for either processor but yields a different physical
memory device). In this case, a 3-byte memoryAddress parameter can be specified and the most significant
byte of the memoryAddress parameter could then be used to select which physical memory device the tester is
attempting to retrieve data from. Any usage of a memoryIdentifier shall be documented in the appropriate CTS,
SSTS or supplemental diagnostic specification referenced by the CTS or SSTS.
Memory Size:
The parameter memorySize is used to select the number of consecutive memory addresses (in ascending
order) to be read starting at memoryAddress (memorySize includes the starting location). The contents of the
range of addresses defined by memoryAddress and memorySize are provided in the positive response
message. memorySize shall have a value between 1 and 4092 bytes if a 2-byte memoryAddress parameter is
used (4091 if 3-byte addressing is used and 4090 if 4-byte addressing is used). The maximum value comes
from the maximum number of bytes allowed by the USDT protocol, less the bytes for the response service
Identifier and the address information from the request message which is included in the response. An ECU
may choose to limit the maximum value of memorySize based on ECU resources (e.g., the size of the Network
Layer Buffer). If an ECU limits the maximum value of the memorySize parameter, then the maximum allowed
value shall be documented in the appropriate CTS or SSTS.
This is what I have so far in the Mode 23 decompile function in Ghidra:
Code: Select all
/* Read Memory By Address */
void Mode_23_Func(undefined *param_1)
{
byte bVar1;
short sVar2;
bool bVar3;
bool bVar4;
longlong lVar5;
undefined *puVar6;
int iVar7;
char cVar8;
uint uVar9;
int iVar10;
uint uVar11;
lVar5 = (longlong)(int)param_1;
puVar6 = (undefined *)FUN_0032624c();
sVar2 = *(short *)param_1;
iVar7 = Convert_Mem_Address(lVar5 + 3);
bVar1 = param_1[8];
if (sVar2 != 7) {
/* subFunctionNotSupported */
Diag_Response(lVar5,0x12);
return;
}
if (*(ushort *)(param_1 + 7) - 1 < 0x10) {
cVar8 = Check_Address_Range?(iVar7,bVar1);
if ((cVar8 == '\0') &&
((Security_Access_Unlocked == '\x01' ||
((cVar8 = FUN_002d49e8(), cVar8 == '\0' && (cVar8 = FUN_00324b20(), cVar8 == '\x01')))))) {
/* requestOutOfRange */
Diag_Response(lVar5,0x31);
}
else {
bVar3 = false;
bVar4 = false;
uVar11 = 0;
uVar9 = (uint)bVar1;
if (uVar9 != 0) {
do {
iVar10 = (uVar11 & 0xff) + iVar7;
cVar8 = FUN_002ff4f8(iVar10);
if (cVar8 == '\0') {
bVar3 = true;
}
cVar8 = FUN_003040f0(iVar10);
if (cVar8 == '\0') {
bVar4 = true;
}
uVar11 = uVar11 + 1;
} while ((uVar11 & 0xff) < uVar9);
if ((bVar4 && bVar3) && (Security_Access_Unlocked != '\0')) {
/* requestOutOfRange */
Diag_Response(lVar5,0x31);
return;
}
}
uVar11 = 0;
if (uVar9 != 0) {
do {
puVar6[uVar11 + 7] = *(undefined *)(iVar7 + uVar11);
uVar11 = uVar11 + 1 & 0xff;
} while (uVar11 < uVar9);
}
*puVar6 = 0;
puVar6[1] = bVar1 + 5;
puVar6[2] = 99;
puVar6[3] = param_1[3];
puVar6[4] = param_1[4];
puVar6[5] = param_1[5];
puVar6[6] = param_1[6];
Diag_Msg_Ready? = 1;
}
return;
}
/* requestOutOfRange */
Diag_Response(lVar5,0x31);
return;
}
It looks like the function "Check_Address_Range?" that I have is doing the verification of the address and size requested and returning a bool based on the check. It seems like perhaps if the security is unlocked then it allows for a larger memory address access.
I have tried to understand how that function works to potentially figure out how to format the message address, but haven't figured it out as of yet. Obviously I could just try to send a bunch of messages until I get a positive response and then that could tell me more about how that function works, but I haven't done that.
Either way lots more work to be done, but I'll eventually figure it out.